Hi guys,
Wondering if someone can help we design this better than I have today for my home. Like secure it a bit more since i have a bunch of smartdevices i would like to apply proper segmentation etc…
Today i have a single network 192.168.0.0/24 with around 60+ clients (mostly wifi) smart meters, termostats, vaccum, mower, radiators, dishwacher, laundry,… u get the point.
I would like to segment them into the following but im afraid i will blow my configuraiton etc so i dont can access anything more so need some advice:
or something…If I just add those network VLANs to the GUI and handpick the clients and select the VLAN they should be on will everything work then?
I would like all clients on any VLAN to use 192.168.0.5 (Pi-hole DNS) which im not sure how to configure.. static routes or how does that work?
I probably have a few smart devices on the IOT network shall shall talk to my home-assistant and homey on VLAN 10
based on the above im hesitant to initiate this if i break all…
One caveat that is missing from that video is that inter-VLAN communication is enabled by default!
So, if you want to isolate your Guest VLAN, you will need to toggle on “Isolation”.
If you want your Guest devices to use the Pi-Hole DNS server as well, Isolation would not be the best route in this case.
You will need to create 3 firewall rules (from high priority to low):
Allow Guest VLAN to reach DNS server.
Drop Guest VLAN traffic from seeing other VLANs.
Drop Other VLANs traffic from seeing Guest VLAN.
You can use Firewall Groups to create one group that holds all of the VLAN networks, besides the Guest network of course, so you would not need to re-type it all when creating those rules.
Do you know the decision behind allowing inter-VLAN communication being enabled by default? My background with firewalls is usually deny all, allow as needed. I have several VLANs an end up having to create a bunch of rules to block them from chatting with each other. I also have to block the VLAN clients from browsing to the default gateway IP via port 80 and 443 to obfuscate the landing page that states “this device has already been configured on an Alta Labs controller”
NOt many block by default, some do some down. IMO it should be almost all allow because it should be your cont to block. They want the Route10 to be easier for consumers / businesses out of the box.
I guess I’m just used to seeing policy controlled forwarding as the default vs. open routing with admin defined restrictions. Yup sounds like usability won out of “security,” which is understandable as most probably don’t create a number of networks like I did.
Sophos known as Astaro used to be exactly like that. When setting up firewall NOTHING got out, it was kinda nice but also a PITA! lol Only defaults like DNS and Port 80 were allowed out unless you selected 443 or mail ports. But yeah..